Sorting through the Patch Thursday and Friday offerings

Topic

New Reply

My head is still spinning. Over the past two days (in addition to learning that Windows honcho Terry Myerson is leaving, and the Windows team is being
[See the full post at: Sorting through the Patch Thursday and Friday offerings]

7 users thanked author for this post.

Cascadian, JDeC, AJNorth, SueW, EspressoWillie, Microfix, Elly

Reply | Quote

Replies

woody wrote:

My head is still spinning. Over the past two days (in addition to learning that Windows honcho Terry Myerson is leaving, and the Windows team is being[See the full post at: Sorting through the Patch Thursday and Friday offerings]

Thanks for the update Woody.  I hope when the dust settles, you’ll be able to provide a complete list of what Windows 7 patches need to be installed, and the correct order in which to install them.

2 users thanked author for this post.

Cybertooth, JDeC

Reply | Quote

Yeah. I’m not looking forward to that.

1 user thanked author for this post.

JDeC

Reply | Quote

woody wrote:

Yeah. I’m not looking forward to that.

I’m sure you aren’t, but based on Susan “Patch Lady” Bradley’s latest post, it looks like we’re going to need that list sooner rather than later.

Should Windows 7 x64 users like myself:
1. Run the pre-4088875 script
2. Install KB4088875
3. Install KB4100480

Or should we just install KB4100480 and hope that April’s rollup resolves the other issues?  Or do something else entirely?  Inquiring minds need to know!  And need to know now!

Thank you in advance for your guidance.

1 user thanked author for this post.

WildBill

Reply | Quote

Alpha128….my exact thoughts as well.  There is no way I can make sense out of the Win7 updates on my own.  Right now, I have not idea what should be installed and in what order or do we just hide all March patches and wait for a better April.

We’re counting on you, Woody!!!!

1 user thanked author for this post.

JDeC

Reply | Quote

See the answer here

Reply | Quote

and we’re still only defcon 2? defcon 1 might fit better, i think. 😀

Reply | Quote

And where do we stand with the memory leak associated with SMB server?

Reply | Quote

There is no indication that issue has been fixed. That issue was introduced in the January 2018 updates according to Microsoft’s documentation.

2 users thanked author for this post.

AJNorth, woody

Reply | Quote

I installed KB4100480 yesterday as per MrBrian’s advice. Hadn’t done any March updates, but had Jan./Feb. updates for Win 7. Don’t seem to be having any problems. Should I uninstall or leave everything as is for now?

Reply | Quote

I didn’t necessarily recommend to install KB4100480 now, but I mentioned that I already did, and that Microsoft recommends in all affected KB articles that those with the affected updates install KB4100480 “immediately” (example).

If you’ve already installed KB4100480 and aren’t having issues, I recommend to leave it installed.

4 users thanked author for this post.

walker, AJNorth, woody, Demeter

Reply | Quote

I have installed it as well because… well, i’m not sure why but it seemed a better plan than extracting the two security only patches i’ve already installed (january & february), given that it supposedly only contained a small subset of the broken march updates. Also that ulf fellow seemed to know what he was talking about so here we are. I’m not having any problems as yet but after reading today’s posts now i’m not so sure it was wise to do so.

I think it should also be mentioned that those who just install security only updates won’t be offered KB4100480 through windows update but will have to get if from the catalog.

1 user thanked author for this post.

MrBrian

Reply | Quote

Alpha128…my sentiments as well.  There is no way I can decide about the March Win 7 updates by myself.  What should we install and in what order or just hide them all and wait for a better April?  We’re counting on you, Woody?

Reply | Quote

See the answer here

Reply | Quote

I’ve simply uninstalled all 2018 OS security updates from my win7 boxes – I may be done with MS updates, period.

1 user thanked author for this post.

Cybertooth

Reply | Quote

What a complete clusterfunction.

mulletback, I’ve decided on the same approach– I’m done feeding my Win 7 boxes the Microsoft dogfood updates. It’s been a non-stop carnival show this year. The cure is worse than the disease. I’ll continue to patch my Win 8.1 boxes as those seem to fair a bit better.

Thanks for the headaches, Satya. You owe me some painkillers.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Thank you so much for all your sleuthing and research.  This definitely saved my bacon!

Cheers!!
Willie McClure
“We are trying to build a gentler, kinder society, and if we all pitch in just a little bit, we are going to get there.” Alex Trebek

Reply | Quote

I am a baffled non-tech lawyer trying to keep my wife’s SOHO machines (Win 7 Pro 64-bit) secure.  Have no idea what I should do with the amazing number of March patches, some Important, some Optional, some checked, some unchecked, some in MS Update Catalog, some changing after being issued.

What is this?

Reply | Quote

@ghz I would highly recommend that you do not install any march patches whether important, recommended, checked or unchecked or any in the Catalog until Woody and the resident experts have fully tested and have definitive results.

Just keep your antivirus software up-to-date and check in here now and again for the update walkthrough on updating your system.

In this current patching climate, it pays to wait.

Keeping IT Lean, Clean and Mean!

2 users thanked author for this post.

woody, SueW

Reply | Quote

I am so done trying to keep up with all of this. Alot of what those who know all of the technical aspects is complete jibber-jabber to me. I am doing nothing but checking the DEFCON level. Enjoy Easter/Passover.

Edit: Please don’t thinly veil bad language. While we understand you may be passionate about the subject, please respect the Lounge Rules.

Reply | Quote

A fix for patches that don’t have problems

Also on Thursday afternoon, Microsoft dropped a handful of patches that fix other bad bugs in previous patches. Susan Bradley has a short list that includes KB 4096309 for Win10 1607/Server 2016 that “Addresses an issue that can cause operational degradation or a loss of environment because of connectivity issues in certain environment configurations after installing KB4088889 (released March 22, 2018) or KB4088787 (released March 13, 2018).” As Susan notes, both of the referenced fixes are still listed in the KB articles as “Microsoft is not currently aware of any issues with this update.”

Three, I say three, Cumulative Updates so far this month for Win10 1607/Server 2016? My head hurts. I’m going back to bed.

Reply | Quote

“Many folks were wondering how this patch stacks up with all of the (many!) other problems we’ve seen with this month’s Win7 Monthly Rollup and Security-only patches. The Folks Who Know Such Things now say that this patch does, indeed, introduce all of those problems — the SMB server memory leak that brings down servers, random re-assignment of static IP addresses, and three separately triggered bluescreens.”

It’s possible that KB4100480 might introduce some or all of the issues that KB4088875 or KB4088878 have to computers that don’t already have KB4088875 or KB4088878 installed because KB4100480 installs some of the files in KB4088875 or KB4088878. However, KB4100480 doesn’t necessarily have all of the issues that KB4088875 or KB4088878 have for computers that don’t already have KB4088875 or KB4088878 installed because KB4100480 doesn’t install every file in KB4088875 or KB4088878. Example: KB4100480 doesn’t install pci.sys according to this list of files in KB4100480, therefore KB4100480 might not introduce the networking issues that KB4088875 or KB4088878 have.

5 users thanked author for this post.

HiFlyer, walker, Cascadian, woody, SueW

Reply | Quote

@Mr.Brian:    I installed the KB4100480 yesterday, as advised, and have had no problems as yet.  I had two of the “time bomb updates” installed and as directions were to install the KB4100480 I proceeded to do so with no adverse effects (as of now).   Thank you once again for your advice in dealing with this mess.     🙂

2 users thanked author for this post.

HiFlyer, MrBrian

Reply | Quote

I have already installed all thuesday patches of this month. Now WU offered me KB 4099950, so i installed it. But now i read it must be installed before KB 408875. So what happen now? I installed first 408875 and now 4099950. Thank you. Win 7 64bit

Reply | Quote

TheOwner wrote:

So what happen now?

Please, you tell us. Seriously.

-Noel

5 users thanked author for this post.

HiFlyer, AJNorth, satrow, woody, Elly

Reply | Quote

“Ulf Frisk, the guy who discovered this gaping security hole (where a program can read or write data essentially everywhere on Intel PCs running 64-bit Win7/Server 2008R2), said on Wednesday that this month’s Monthly Rollup fixes the hole. The next day he said that, oops, this month’s Monthly Rollup doesn’t fix the hole and Microsoft revealed that, uh, this month’s Monthly Rollup actually introduces the hole.”

The January and February 2018 updates listed at https://support.microsoft.com/en-us/help/4100480/windows-kernel-update-for-cve-2018-1038 also have the Total Meltdown vulnerability.

5 users thanked author for this post.

HiFlyer, AJNorth, woody, Microfix, Noel Carboni

Reply | Quote

That sounded a bit odd to me too.

All in all, patching has not presented a good face for Microsoft so far in 2018.

That being said, and in an interest to provide balance, the chief engineer at my company – who runs macOS on an iMac and Windows 7 in a VMware Virtual Machine to do his Windows development – some time ago decided to keep his Windows 7 system on 100% Microsoft-supplied Windows Update settings (i.e., automatic group A). He tells me that so far he’s had no problems with it whatsoever. Of course, he makes good backups and he has VMware snapshots, so if he does have a problem – even a bad one – there’s an easy, quick fix to get his working environment back to working. Maybe the presence of the safety nets averts problems (Murphy’s law). And to be fair he does use his virtual Windows system in a limited way – e.g., he runs Visual Studio in Windows, but browses the web and does eMail, Skype, etc. using his native macOS environment directly.

-Noel

4 users thanked author for this post.

AJNorth, Microfix, Elly, MrBrian

Reply | Quote

One thing that strikes me straight away Noel is, if that chief engineer’s W7 machine has group A (automatic patching) then surely ALL the telemetry is fully functional.

Therefor, my (open a can of worms) question is: does leaving telemetry ON as intended, actually preserve the health of the system over a long period of time for future/current patching?

Although many (myself included) don’t like the idea of telemetry, perhaps telemetry is actually the saviour (better the devil we know).

Could disabling telemetry actually create longterm OS issues?

Keeping IT Lean, Clean and Mean!

Reply | Quote

That’s entirely possible – and very troubling.

8 users thanked author for this post.

HiFlyer, SueW, walker, Microfix, AJNorth, flackcatcher, Elly, lurks about

Reply | Quote

I don’t think so. Since the introduction of Microsoft’s GWX along with other updates which install telemetry, I have been on Group B and have additionally killed all Task Manager tasks which gather telemetry in addition to having CEIP disabled on those computers.

Reply | Quote

Like, the New York Times, the Wall Street Journal’s coverage of Microsoft’s announcement of Terry Myerson’s departure etc. treated it as a statement that Microsoft was more or less casting Windows adrift.  No doubt that is precisely what was intended.

So much for support until 20XX and all that.  It looks like we can expect nothing but continued incompetence and hazards from patches.

 

Reply | Quote

Or maybe we can hope for a course change when leadership changes. Many feel the course Microsoft is now on isn’t the right one.

I guess the question in my mind is: Can a new leader come in who resets the path of Windows back to the straight and narrow?

One way to think about it might be to imagine mothballing the current code base for Windows 10, resurrect the code base for Windows 7, very carefully port select architecture changes to it from Windows 10, then move it in the direction it was going back in the early 2010s. Call it “Windows for Serious Computing” or “Windows as an Operating System” or maybe just “Windows 7.2” (who wouldn’t buy that?).

It won’t be quick – but that’s okay – we don’t need quick, we need stable/useful! It’s an operating system. The stable foundation for things that change more rapidly.

Microsoft has always been an adept manager of mediocrity – possibly the best on the planet. They have turned “needing to stay tied to Microsoft because of the problems they themselves created” into an art form. But there’s really only so far they can go with that. At some point things have to actually work.

-Noel

10 users thanked author for this post.

Steve, HiFlyer, SueW, AlexEiffel, AJNorth, Cybertooth, Cascadian, wdburt1, lurks about, EricEWV

Reply | Quote

@Noel – The current monthly patching debacles is probably forcing more serious searching for alternatives, which do exist. For many, any OS will do just fine given what they use a computer for so a Chromebook, Mac, or a Linux distro is a reasonable alternative (listed in order I think users will adopt). Those who have a key Windows only application may be able to run it in a VM but mileage will definitely vary. MS is creating a serious opportunity for others to step and provide a solid, stable OS that lacks the drama of the monthly patching.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Windows Patching DEFCON:

The Only Winning Move Is Not To Play!

4 users thanked author for this post.

SueW, Carl D, woody, AlphaCharlie

Reply | Quote

DEFCON ZERO?

Reply | Quote

Actually, Defcon -2 (-3?) at this point… as I’m following Susan’s recomendation and rolling back to December!

Non-techy Win 10 Pro and Linux Mint experimenter

3 users thanked author for this post.

HiFlyer, satrow, MrBrian

Reply | Quote

Don’t get !desufnoc

AskWoody’s MS-DEFCON is well worth playing 🙂

Keeping IT Lean, Clean and Mean!

Reply | Quote

I didnt notice anything by installing this fix after patch. But i dont udnerstand why WU offer me that update if i already have mothly pach installed.

Reply | Quote

Fail-safe

1 user thanked author for this post.

HiFlyer

Reply | Quote

I’m Group B Win 7 x64 current on IE11 and security only patches through February.

I’m trying to decide whether to install KB4100480. So, I’m wondering just how likely it is for the security hole this KB patches to be exploited. Apparently, this hole is easy to exploit, but does an attacker need to have physical access to my machine. Or can the hole be exploited by malware? Or is their some other way the exploit can occur?

What I’m getting at is if my machine is physically safe and I’ve got up to date MS Security Essentials and am a very conservative web surfer (no ads and only a handful of sites – gmail, askwoody and a couple of bank/financial sites), then just how susceptible am I – and also the handful of retired folks I help with patches?

Installing KB4100480 seems to come with a set of unknown problems, some or all of which have been found in the March patches, so if I’m in a pretty safe position, I’d really rather not install it yet. I’d also rather not rollback to December, not only because of the hassle factor, but because there were, I think, holes other than Meltdown and Spectre that were patched in January and February.

Maybe other folks here are in a similar situation. So I’d be interested in what some of our experts (MVPs and others) think.

Thanks.

1 user thanked author for this post.

HiFlyer

Reply | Quote

I installed KB4100480 and rebooted the computer. The system booted without error.

The patch appears not to have borked my system.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender

2 users thanked author for this post.

HiFlyer, MrBrian

Reply | Quote

The Total Meltdown vulnerability (fixed by KB4100480) can be used by malware to elevate privileges. I don’t know if the Total Meltdown vulnerability can be exploited via JavaScript delivered in a web page to a web browser.

2 users thanked author for this post.

HiFlyer, AlexEiffel

Reply | Quote

Javascript in a web browser can exploit TotalMeltdown, and no fancy timing is required since any program, script or code has access to all kernel and program memory. This is why TotalMeltdown is unbelievably severe. Any program or script can exploit TotalMeltdown. No malware techniques whatsoever are required.

2 users thanked author for this post.

HiFlyer, SueW

Reply | Quote

Do you have a source for that? It is very scary to think javascript could be used to easily read and write any part of memory. If it is that easy, why don’t we see a lot of malware exploiting that in the field?

1 user thanked author for this post.

HiFlyer

Reply | Quote

Okay, we have two Win 7 64 bit computers and two Windows 7 32 bit computers.

KB4100480 is described as a fix for 64 bit computers. Does this mean I skip it on the two 32 bit computers?

At this point, I’m ready to remove January’s and February’s security only updates. I am not close to doing anything with the March mess.

I do make images so if I notice something unusual, I’ll restore a late December image.

Got coffee?

1 user thanked author for this post.

HiFlyer

Reply | Quote

KB4100480 should not be installed on Windows 7 32-bit operating systems.

2 users thanked author for this post.

HiFlyer, plodr

Reply | Quote

A couple of short points here. First, take a breath people. This is a massive screw up that is more damaging to Microsoft’s bottom line than causing any problems to your personal PC. Yes, if not fixed, then these ‘holes’ could maybe in the future lead to easy exploits. But the odds that causal users will be hit are small. My advice is simple. Make sure your AV programs are up to date, your browser the latest version and sit tight. And for goodness sake, listen to Woody, Susan, and the MVP’s here and you will be OK. Relax. There is no need to panic yet. Second point. Susan has every reason to be angry. Small and medium size business are going to bare the brunt of this major failure on Microsoft’s part. I don’t care how Satya spins this, he is done. No CEO survives the kind  of rolling mistakes that puts a major 500 on the block. The reason Microsoft has been successful is that up to now, they have had one of the best ‘fix it’ organizations on the planet, backed up by one of the finest Q and A division  anywhere. To put it plainly, even if Microsoft’s OS or programs were utter c**. They would make every effort to either fix, or upgrade said piece of software for their clients, and in most cases do it free. That was not only part of Microsoft’s written contract language, it was at the core of what they did as a company. That’s mostly gone now, Satya’s wiped it out. The bulk of business in the United States, and around the world are mom and pop outfits who either have to do their own, or hire someone like Susan Bradley to handle their back end operations. Think about it. Satya has though his own high handedness, put many of these small companies at serious risk of a breach.  Not their fault. They trusted a major vendor who up till now  has held up the end of their deal. (Went a little longer than I thought. Sorry about that.)

10 users thanked author for this post.

Steve, HiFlyer, woody, GoneToPlaid, bosun1, SkipH, mindwarp, lurks about, Cybertooth

Reply | Quote

I’m on Windows 8.1, but not crowing at all. I really feel for those on Windows 7, because these problems aren’t your fault, they’re Microsoft’s. If this is another scam to con Win 7 users to upgrade to Win 10, then it’s totally wrong. Since Microsoft abandoned Win 8.1 for the enterprise, they don’t care if we upgrade. With more users still on Win 7, they’re a target. I don’t trust Nadella, since he cares about the cloud more than the desktop.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

2 users thanked author for this post.

HiFlyer, David F

Reply | Quote

MrBrian wrote:

It’s possible that KB4100480 might introduce some or all of the issues that KB4088875 or KB4088878 have to computers that don’t already have KB4088875 or KB4088878 installed because KB4100480 installs some of the files in KB4088875 or KB4088878. However, KB4100480 doesn’t necessarily have all of the issues that KB4088875 or KB4088878 have for computers that don’t already have KB4088875 or KB4088878 installed because KB4100480 doesn’t install every file in KB4088875 or KB4088878. Example: KB4100480 doesn’t install pci.sys according to this list of files in KB4100480, therefore KB4100480 might not introduce the networking issues that KB4088875 or KB4088878 have.

OMG I got a headache trying to sort out the logical chain in this paragraph. There’s a tongue-twister feel to it.

Reminds me of the old poster that read:

I know that you believe that you understood what you think I said, but I am not sure you realize that what you heard is not what I meant.

No fault of @MrBrian, it’s the nature of the MS beast.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

6 users thanked author for this post.

HiFlyer, SueW, MrBrian, Cascadian, Elly, AJNorth

Reply | Quote

In case you missed it, please read this post.

5 users thanked author for this post.

SueW, mulletback, Cybertooth, Cascadian, Elly

Reply | Quote

Thanks, @mrbrian. When I visit Woody’s I tend to open the comments threads starting from the top (most recent blog post) in the Home section, so it would have been a while before I saw your referenced post which came in since the last time I went into that thread.

The situation with those updates is much clearer now.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

HiFlyer

Reply | Quote

Same experience, guess I didn’t want to be first to admit it. Very willing to support the person who stepped up and did. I see MrBrian has already given the link I came to add, where he breaks it apart much better, and with full supporting argument.

But on this first, short, inline circulating logic path: first my eyes rolled and would not focus, then I squinted and tried again, I was sure I read it wrong, then I suspected MrBrian typed it wrong, on the fifth try it clicked, and after six strokes at the ball I picked it up and walked away. I understood it, but wondered how many times MrBrian reread it before posting.

Both the original twister, and your old glossy wall poster gave a good giggle. Thanks.

3 users thanked author for this post.

HiFlyer, MrBrian, Cybertooth

Reply | Quote

Oh this is wonderful! Installing MS’ patches on Windows 7 PCs is getting more and more reminiscent of a film sequence from The Matrix.

1 user thanked author for this post.

HiFlyer

Reply | Quote

woody wrote:

My head is still spinning. Over the past two days (in addition to learning that Windows honcho Terry Myerson is leaving, and the Windows team is being[See the full post at: Sorting through the Patch Thursday and Friday offerings]

Does anyone besides me think that it might be time to consider a class-action lawsuit against Microsoft over this interminable patching mess? I’m not an attorney, but isn’t there at minimum an implied contract between Microsoft and its users to, in good faith, support specific products up to a specific date, i.e. Windows 7, through mid-2020? And wouldn’t that good-faith support have to be at the very least reasonably competent, i.e. actually improve the product I’m patching and not damage it or further weaken my protection against cyber attack? And wouldn’t it be easy to show there have been many instances where it has not been? And haven’t many of us suffered real, provable damages from Microsoft’s long history of incompetent and irresponsible handling of security and product patching? For instance: If I can document–as I can–that I have recently had to spend seven hours uninstalling an admittedly botched Microsoft patch, am I not entitled to be compensated at my hourly rate for the time required to fix Microsoft’s admitted error? And hasn’t Microsoft put thousands, if not hundreds of thousands, if not millions, of people in this same predicament? And mightn’t that amount to billions of dollars? And wouldn’t a percentage of those billions make a worthwhile payoff for a law firm willing to take something like this on? Should my clients have to pay for Microsoft’s incompetence? Am I and my clients not entitled to a minimum of respect? Am I obliged to simply take this kind of treatment endlessly without recourse, accountability, or the ability to petition to have my grievances recognized and addressed?

Just askin’.

 

GaryK

1 user thanked author for this post.

HiFlyer

Reply | Quote

gkarasik wrote:

[…]And wouldn’t a percentage of those billions make a worthwhile payoff for a law firm willing to take something like this on?[…]

Ah, therein lies the problem. Even assuming that a class-action lawsuit goes forth and succeeds, the lawyers will get hundreds of million$ and you and I will each get a check for $2.50. Or better yet, we’ll receive “compensation” in the form of a credit for the purchase of future Microsoft products and services.

Microsoft may be punished, but the amounts that MS customers themselves get will be trivial, when not downright insulting.

All very good questions that you ask, BTW.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

HiFlyer

Reply | Quote

Cybertooth wrote:

gkarasik wrote:

[…]And wouldn’t a percentage of those billions make a worthwhile payoff for a law firm willing to take something like this on?[…]

Ah, therein lies the problem. Even assuming that a class-action lawsuit goes forth and succeeds, the lawyers will get hundreds of million$ and you and I will each get a check for $2.50. Or better yet, we’ll receive “compensation” in the form of a credit for the purchase of future Microsoft products and services. Microsoft may be punished, but the amounts that MS customers themselves get will be trivial, when not downright insulting. All very good questions that you ask, BTW.

Going by past experience, you are doubtless correct that we’d get pennies while the attorneys would reap the real rewards, but I’m trying to frame the questions in a way that might interest an attorney, i.e. there might be some serious bucks here, and there might be an actual, winnable case. Direct, monetary reward to me aside, however, if–yes, lots of ifs–such a case were to be brought and were to be won and were to force a change in Microsoft’s behavior, that would save me and my clients much future time and agony, which for me would be direct reward enough. Nothing personal to Woody, who’s performing a much-needed service for us, but all in all it would be better if that service were no longer necessary.

GaryK

2 users thanked author for this post.

HiFlyer, Cybertooth

Reply | Quote

@gkarsik @cybertooth

Please try to keep the subject matter about patching. Lawsuits are a bit off-topic here. 🙂

2 users thanked author for this post.

woody, Cybertooth

Reply | Quote